Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

US privacy child consent clarifications #84

Open
wants to merge 11 commits into
base: develop
Choose a base branch
from
Open

US privacy child consent clarifications #84

Show file tree
Hide file tree
Changes from 7 commits
Commits
Show all changes
11 commits
Select commit Hold shift + click to select a range
3c74f10
Update IAB Privacy’s National Privacy Technical Specification.md
lamrowena Jun 26, 2023
17fb659
Clarifications to KnownChildConsents CA
lamrowena Jun 26, 2023
f951e3a
Clarifications to KnownChildConsents CO
lamrowena Jun 26, 2023
dc17753
Clarifications to KnownChildConsents CT
lamrowena Jun 26, 2023
15ea30f
Clarifications to KnownChildConsents UT
lamrowena Jun 26, 2023
61a2918
US state section hyperlinks
lamrowena Jun 26, 2023
2fb2639
Updated to under 17
lamrowena Jul 3, 2023
11cdb8e
Update GPP Extension: IAB Privacy’s California Privacy Technical Spec…
jaredmoscow Jun 24, 2024
6321c0f
Update GPP Extension: IAB Privacy’s Colorado Privacy Technical Specif…
jaredmoscow Jun 24, 2024
a88d06b
Update GPP Extension: IAB Privacy’s Connecticut Privacy Technical Spe…
jaredmoscow Jun 24, 2024
a21cfba
Update GPP Extension: IAB Privacy’s Utah Privacy Technical Specificat…
jaredmoscow Jun 24, 2024
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
12 changes: 6 additions & 6 deletions Sections/Section Information.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -58,32 +58,32 @@ Each section represents a unique privacy signal, usually a unique jurisdiction.
<tr>
<td><code>7</code></td>
<td>usnat</td>
<td>US - national section </td>
<td><a href="https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/tree/main/Sections/US-National">US - national section </a></td>
</tr>
<tr>
<td><code>8</code></td>
<td>usca</td>
<td>US - California section </td>
<td><a href="https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/tree/main/Sections/US-States/CA">US - California section </a></td>
</tr>
<tr>
<td><code>9</code></td>
<td>usva</td>
<td>US - Virginia section </td>
<td><a href="https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/tree/main/Sections/US-States/VA">US - Virginia section </a></td>
</tr>
<tr>
<td><code>10</code></td>
<td>usco</td>
<td>US - Colorado section </td>
<td><a href="https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/tree/main/Sections/US-States/CO">US - Colorado section </a></td>
</tr>
<tr>
<td><code>11</code></td>
<td>usut</td>
<td>US - Utah section </td>
<td><a href="https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/tree/main/Sections/US-States/UT">US - Utah section </a></td>
</tr>
<tr>
<td><code>12</code></td>
<td>usct</td>
<td>US - Connecticut section </td>
<td><a href="https://github.com/InteractiveAdvertisingBureau/Global-Privacy-Platform/tree/main/Sections/US-States/CT">US - Connecticut section </a></td>
</td>
</td>
</tr>
Expand Down
23 changes: 16 additions & 7 deletions Sections/US-National/IAB Privacy’s National Privacy Technical Specification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,7 +24,11 @@
</div>

<h2>US National Privacy Section</h2>
<p style="text-align: justify;">The US National Privacy Section is a string that consists of the components described below. Users should employ the US National Privacy Section only if they will adhere to the National Approach for their processing of a consumer&rsquo;s personal data.</p>
<p style="text-align: justify;">The US National Privacy Section is a string that consists of the components described below. The US National Privacy Section is intended to be used for MSPA Covered Transactions. The requirements for using the US National Privacy Section for MSPA Covered Transactions are defined by the MSPA “US National Approach” as a way to comply with the highest common denominator of all different state privacy law requirements in circumstances where the First Party setting the values for the string: (1) does not know the state residency of the Consumer; or (2) otherwise does not wish to use the Consumer’s specific state residency to differentiate how they will treat the Consumer for purposes of compliance with applicable state privacy laws. Requirements for using the components of the US National Privacy Section relating to sensitive data and childrens’ data are not currently defined by the MSPA, but may be defined by a future amendment or addendum to the MSPA.</p>

<p>Notwithstanding that the US National Privacy Section is intended to be used in conjunction with the MSPA, those who use it for non-MSPA Covered Transactions are representing to recipients of the string whether they have complied with the specific state law requirements referenced in the description of each string component.</p>

<p>The US National Privacy Section does not reflect any requirements of US federal law (for example, it does not reflect any COPPA consent requirements) and instead is intended only for use as a tool for compliance with applicable US state privacy law requirements. </p>
<h3>Summary</h3>
<div>
<table>
Expand Down Expand Up @@ -254,12 +258,17 @@
<tr>
<td>KnownChildSensitiveDataConsents</td>
<td>N-Bitfield(2,2)</td>
<td>Two bits for each Data Activity:<code>0</code> Not Applicable. The Business does not have actual knowledge that it Processes Personal Data or Sensitive Data of a Consumer who is a known child.<p><code>1</code> No Consent<p><code>2</code> Consent&nbsp;<p>(1) Consent to Process the Consumer&rsquo;s Personal Data or Sensitive Data for Consumers from Age 13 to 16.<p><p>References:
<ul>
<li>Cal. Civ. Code Cal. Civ. Code 1798.120(c)</li>
<li>Conn. PA 22-15, Sec. 6(a)(4)</li>
</ul>
(2) Consent to Process the Consumer&rsquo;s Personal Data or Sensitive Data for Consumers Younger Than 13 Years of Age.<p><p>References:
<td>Two bits for each Data Activity:
<p></p><code>0</code> Not Applicable. The Business does not have actual knowledge that it Processes Personal Data or Sensitive Data of a Consumer who is under 17 years old.<p><code>1</code> No Consent<p><code>2</code> Consent&nbsp;
<p>Data Activities:</p>
<p>(1) Consumer Consent to Process the Consumer’s Personal Data or Sensitive Data for selling, sharing, or targeted advertising for a Consumer between the age of 13 and 16.
<p>References:
<ul>
<li>Cal. Civ. Code Cal. Civ. Code 1798.120(c)</li>
<li>Conn. PA 22-15, Sec. 6(a)(4)</li>
</ul>
<p></p>(2) Verifiable consent obtained from the Consumer’s parent or lawful guardian to Process the Personal Data or Sensitive Data of a Consumer Younger Than 13 Years of Age.
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is younger capitalized?

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This was there from the original requirements document.

<p><p>References:
<ul>
<li>Cal. Civ. Code Cal. Civ. Code 1798.120(c)</li>
<li>Virginia Code 59.1-578(A)(5)</li>
Expand Down
2 changes: 1 addition & 1 deletion ...s/CA/GPP Extension: IAB Privacy’s California Privacy Technical Specification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -98,7 +98,7 @@
<tr>
<td style="text-align:left">KnownChildSensitiveDataConsents</td>
<td style="text-align:left">N-Bitfield(2,2)</td>
<td style="text-align:left">Two bits for each Data Activity:<p><code>0</code> Not Applicable. The Business does not have actual knowledge that it Processes Personal Information of Consumers Less Than 16 years of Age.<p><code>1</code> No Consent<p><code>2</code> Consent<p>Data Activities:<p>(1) Consent to Sell the Personal Information of Consumers Less Than 16 years of Age<p>(2) Consent to Share the Personal Information of Consumers Less Than 16 years of Age</td>
<td style="text-align:left">Two bits for each Data Activity:<p><code>0</code> Not Applicable. The Business does not have actual knowledge that this transaction involves Processing the Personal Information of a Consumer who is Less Than 16 years of Age.<p><code>1</code> No Consent<p><code>2</code> Consent<p>Data Activities:<p>(1) Consent to Sell the Personal Information of Consumers Less Than 16 years of Age. For a Consumer the Business has actual knowledge is under 13 years of age, this must be consent given by the Consumer’s parent or guardian. For a Consumer the Business has actual knowledge is between the ages of 13 and 16, this must be Consumer consent.<p>(2) Consent to Share the Personal Information of Consumers Less Than 16 years of Age. For a Consumer the Business has actual knowledge is under 13 years of age, this must be consent given by the Consumer’s parent of guardian. For a Consumer the Business has actual knowledge is between the ages of 13 and 16, this must be Consumer consent.</td>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

It is unclear which bit is for 0-12 and which is for 13-15 (or is it 13-16?), as both groups are discussed in both parts

Copy link
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The first bit is for the sell of personal information and the second bit is the for the share of personal information. For each bit, if the consumer is under 13, the consent must be given by the parent or guardian. And if the consumer is between 13 and 16, consent must be given but by the consumer.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this still reads as broken to me

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

13-16 is not a subset of "Less Than 16 years"

</tr>
<tr>
<td style="text-align:left">PersonalDataConsents</td>
Expand Down
2 changes: 1 addition & 1 deletion ...tes/CO/GPP Extension: IAB Privacy’s Colorado Privacy Technical Specification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@
<tr>
<td style="text-align:left">KnownChildSensitiveDataConsents</td>
<td style="text-align:left">Int(2)</td>
<td style="text-align:left">Consent to Process Sensitive Data from a Known Child.<p><code>0</code> Not Applicable. The Controller does not Process Sensitive Data of a known Child.<p><code>1</code> No Consent<p><code>2</code> Consent</td>
<td style="text-align:left">Consent to Process Sensitive Data from a Known Child given by the Consumer’s parent or lawful guardian.<p><code>0</code> Not Applicable. The Controller does not Process Sensitive Data of a Known Child.<p><code>1</code> No Consent<p><code>2</code> Consent</td>
</tr>
<tr>
<td style="text-align:left">MspaCoveredTransaction</td>
Expand Down
2 changes: 1 addition & 1 deletion .../CT/GPP Extension: IAB Privacy’s Connecticut Privacy Technical Specification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -95,7 +95,7 @@
<tr>
<td style="text-align:left">KnownChildSensitiveDataConsents</td>
<td style="text-align:left">N-Bitfield(2,3)</td>
<td style="text-align:left">Two bits for each Data Activity:<p><code>0</code> Not Applicable. The Controller does not Process Sensitive Data of a known Child.<p><code>1</code> No Consent<p><code>2</code> Consent<p>(1) Consent to Process Sensitive Data from a Known Child.<p>(2) Consent to Sell the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age.<p>(3) Consent to Process the Personal Data of Consumers At Least 13 Years of Age but Younger Than 16 Years of Age for Purposes of Targeted Advertising.</td>
<td style="text-align:left">Two bits for each Data Activity:<p><code>0</code> Not Applicable. The Controller does not Process Sensitive Data of a Consumer the Business has actual knowledge is less than 16 years old.<p><code>1</code> No Consent<p><code>2</code> Consent<p>(1) Verifiable parental consent to Process Sensitive Data from a Consumer the Business has actual knowledge is less than 13 years old.<p>(2) Consumer Consent to Sell the Consumer’s Personal Data for a Consumer at Least 13 Years of Age but Younger Than 16 Years of Age.<p>(3) Consumer Consent to Process the Consumer’s Personal Data for Purposes of Targeted Advertising for a Consumer At Least 13 Years of Age but Younger Than 16 Years of Age.</td>
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

this is also reading as broken to me, for example, writing 0 in the first bit field might suggest the business doesnt process data for a 14 year old even though the field is exclusive to 0-12 year olds

</tr>
<tr>
<td style="text-align:left">MspaCoveredTransaction</td>
Expand Down
2 changes: 1 addition & 1 deletion ...-States/UT/GPP Extension: IAB Privacy’s Utah Privacy Technical Specification.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -101,7 +101,7 @@
<tr>
<td style="text-align:left">KnownChildSensitiveDataConsents</td>
<td style="text-align:left">Int(2)</td>
<td style="text-align:left">Consent to Process Sensitive Data from a Known Child<p><code>0</code> Not Applicable. The Controller does not Process Sensitive Data of a known Child.<p><code>1</code> No Consent<p><code>2</code> Consent</td>
<td style="text-align:left">Verifiable parental Consent to Process Sensitive Data of a Consumer the Business has actual knowledge is under 13 years old.<p><code>0</code> Not Applicable. The Controller does not have actual knowledge that it Process Sensitive Data of a Consumer it has actual knowledge is under 13 years old.<p><code>1</code> No Consent<p><code>2</code> Consent</td>
</tr>
<tr>
<td style="text-align:left">MspaCoveredTransaction</td>
Expand Down